I recently presented to a C-level gathering of retail finance executives about the industry’s changing threat landscape and the emerging threats facing omni-channel sellers.
The retail security environment has changed dramatically in the past few years. Not that long ago, retailers mostly worried about protecting payment card information and staying PCI compliant. Data breaches weren’t perceived as a material threat by companies; the primary worry was PCI fines and penalties. Consumer concern was approximately zero.
Obviously, all this has changed. The merchants Coalfire speaks to now are – smartly – asking the same two questions: First, are we already compromised? Second, are we doing everything we can to keep from being compromised?
The focus of my NRF session was emerging risks, broadly outlined in five categories:
Outsourced services – Every retailer has its version of “an HVAC contractor.” In industries like healthcare, third-party organizations account for over 40 percent of all breaches. And there’s no silver bullet for managing vendors across the regulatory compliance ecosystem, with vastly different industry requirements (PCI, HIPAA, GLBA, etc.) that cause confusion.
Social media – As a single communications platform that offers compliance, legal, reputational and operational risks, social media can either cause or amplify a breach.
Cloud computing – Virtual environments reduce costs and improve operating efficiencies, but information security officers now have to draw a much bigger circle around “their” systems. If they do that well, security can actually be enhanced, as Coalfire CEO Rick Dakin recently described in a separate post.
Mobile – Mobile security standards are immature. We’re facing modern threats with “Windows 95”-level controls. The risks are compounded when mobile devices become aggregating points for sensitive data.
Cryptocurrencies – Bitcoin and its imitators offer new risks and security challenges, including the very real threat of theft for improperly managed holdings.
Achieving a baseline level of PCI compliance isn’t enough to full address any of those challenges. Hackers are creative, persistent and amply rewarded for their successes. Retailers who are serious about protecting their customers need a true risk management strategy that identifies and protects critical assets, independently tests those protections, and continuously monitors for new threats.
There’s no fully technological solution to address these needs. EMV, P2PE and other technologies can harden systems, but controls will still be needed throughout the system.
When placing new technology into the system, don’t trust anything. Be prepared to manage and verify everything that is promised to you. Take a whitelist approach and consider third-party solution security validation.
Coalfire is the PA-QSA for many of the leading POS applications, and we're the QSA-of-record for over 200 leading multi-channel merchants. If you’re looking for a trusted, independent partner, contact us today.
# # #